2.0 -//Pentabarf//Schedule//EN PUBLISH SVTD8P@@pretalx.com -SVTD8P Orange is the new Black en en 20240905T091500 20240905T092000 000500 Orange is the new Black Oranges: The Juicy Heartbeat of Innovation and Well-being Prepare to embark on a vibrant journey into the world of one of nature's most extraordinary gifts—Oranges! As we gather here today, let us peel back the layers of this citrus marvel to reveal the rich tapestry of innovation, health, and cultural significance that it brings to our lives. This kick-off will be an exhilarating exploration of the orange's journey from grove to greatness, celebrating its role as a catalyst for health, culinary creativity, and economic vitality. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/SVTD8P/ Main track Fish_, Cherry and Stef PUBLISH XVEWPL@@pretalx.com -XVEWPL Cybersecurity’s New Imperative: Metawar - Defending the Cognitive Infrastructure. en en 20240905T092000 20240905T100000 004000 Cybersecurity’s New Imperative: Metawar - Defending the Cognitive Infrastructure. A long time ago, on June 27, 1991, Winn testified before the US Congress and was asked, “Mr. Schwartau: Why would the bad guys ever want to use the internet?” Today, our cognitive infrastructure is under attack, and humanity needs hackers more than ever. Metawar is the art and science of creating immersive experiences to influence, alter, and define one’s sense of reality. It is the battle for control over one’s belief systems, identity, and sense of reality outside one’s conscious awareness. Reason and emotion are incompatible operating systems. Big Tech is digitally terraforming the planet’s future cognitive infrastructure, Web 3.0, with little concern for the downsides. The metaverse is an evolving, immersive storytelling environment designed to be the most powerful and addictive reality distortion machine ever conceived. It will also predict and anticipate your every desire and every move! On the global stage, metawar represents the sixth domain of warfare.⁠1 They who control the technology control the narrative, and reality is only a keystroke away. We have no choice but to learn how to coexist with the reality-distorting technologies we have created by implementing technical, policy, and cognitive defenses to protect our sense of truth, reality, and self-identity. Winn’s keynote is a call to action. The hacker community is among the best problem solvers the planet has ever seen. It acts as a team, a collective of like-minded individuals with an amazing array of skills who stop at nothing to achieve their aims—against all odds. Winn challenges us with a new goal: Strengthen and defend the human mental immune system. Our brains, sensory nervous systems, and minds are the new attack surface. Will the hacker community rise to the challenge of solving the most existential threat it has ever faced? PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/XVEWPL/ Main track Winn Schwartau PUBLISH FSCA3A@@pretalx.com -FSCA3A Low Energy to High Energy: Hacking Nearby EV-Chargers Over Bluetooth en en 20240905T100000 20240905T103000 003000 Low Energy to High Energy: Hacking Nearby EV-Chargers Over Bluetooth As electric vehicles become increasingly integrated into our transportation infrastructure, the security of their charging systems is becoming paramount. A threat actor hacking EV chargers at scale could have a real life impact on the continuity of our power grid and the transportation sector. Therefore, it is important that manufacturers and operators are well aware of their role in protecting our power grid. This year we demonstrated several zero day attacks against commonly used EV chargers during the international Pwn2Own Automotive competition. Most of these vulnerabilities were very easy to find once the firmware was extracted. The lack of mitigations against binary exploitation meant writing the exploits was also straightforward. In this talk, we will explain the vulnerabilities we found, the exploits we developed and what lessons about IoT security in general can be learned from this. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/FSCA3A/ Main track Daan Keuper PUBLISH EFL9RJ@@pretalx.com -EFL9RJ Making penetration testing auditable en en 20240905T110000 20240905T113000 003000 Making penetration testing auditable ### Unveiling a Revolutionary Approach to Penetration Testing: The Methodology for Information Security Research with Audit Value In the ever-evolving landscape of cybersecurity, penetration testing has become a cornerstone for ensuring product security and compliance. However, the methods of conducting these tests can vary significantly, sometimes offering clear insights and other times leaving much to be desired. Clients rely on these tests not only for assurance but also for their crucial audit value. The recent COVID-19 crisis highlighted a vital need: enhancing client assurance through more transparent and reliable penetration tests, a necessity increasingly driven by stringent legislation. #### A Unique Collaboration for Enhanced Security This realization led to the formation of a groundbreaking collaboration, bringing together clients, software developers, pentesters, auditors, and information security researchers. Our innovative approach is designed to empower every knowledgeable professional to contribute, ensuring that every critical component is thoroughly examined. Welcome to the Methodology for Information Security Research with Audit Value. #### Focusing on Open Standards Our methodology is rooted in open standards, promoting transparency, interoperability, and innovation. By adhering to these standards, we ensure that our approach is not only robust but also adaptable to various environments and requirements. Open standards facilitate a common language and framework, making it easier for all stakeholders to collaborate and for solutions to integrate seamlessly. #### Addressing Requirements and Consequences The Methodology for Information Security Research with Audit Value goes beyond merely meeting requirements. It provides a clear understanding of the consequences if certain aspects are missing, ensuring that clients are fully informed of potential risks and impacts. This comprehensive approach includes: - **Procurement Requirements**: Ensuring that all inkoopeisen (procurement requirements) are met with precision, helping clients make informed decisions when acquiring new products or services. - **Legal Aspects**: Addressing all juridische aspecten (legal aspects) to ensure compliance with relevant laws and regulations, thereby minimizing legal risks and liabilities. #### Providing Comprehensive Compliance Tools Our methodology equips you with everything needed to achieve and maintain compliance. From detailed guidelines and best practices to thorough checklists and audit trails, we provide all the tools necessary to ensure that nothing is overlooked. This includes: - **Detailed Guidelines**: Step-by-step instructions and best practices to guide you through every stage of the penetration testing process. - **Thorough Checklists**: Comprehensive checklists to ensure all critical aspects are covered, leaving no room for oversight. - **Audit Trails**: Robust audit trails that document every action and decision, providing transparency and accountability throughout the testing process. #### Transforming Security and Compliance Embrace this innovative methodology and transform the way you achieve security and compliance. The Methodology for Information Security Research with Audit Value represents a comprehensive, participatory approach that elevates the standards of penetration testing. By focusing on open standards, addressing requirements and their consequences, and providing all necessary compliance tools, we ensure that your security measures are not only effective but also thoroughly documented and auditable. Join us in pioneering a new era of cybersecurity. Discover the future of penetration testing with the Methodology for Information Security Research with Audit Value, and ensure that your security practices are second to none. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/EFL9RJ/ Main track Brenno de Winter PUBLISH C8PRBG@@pretalx.com -C8PRBG The Registry Rundown en en 20240905T113000 20240905T120000 003000 The Registry Rundown The talk will cover the basics of the Windows Registry and its structure, including the different hives (e.g. HKLM, HKCU) and their purpose. We will then delve into the different ways the registry can be accessed, both locally and remotely. Lots of informaton can be gathered from a remote system via the Remote Registry, such as installed software, configuration, and user activity. All using the privileges of a regular domain user without local administrator permission. We will share some interesting findings that we came across that facilitate lateral movement via the registry (bypassing remote UAC). We also successfully used the Remote Registry service to bypass typical jumpbox restrictions that normally don’t allow the user to login via RDP directly. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/C8PRBG/ Main track Cedric Van Bockhaven Max Grim PUBLISH DSMSJH@@pretalx.com -DSMSJH Securing OT, too hard or not for me? en en 20240905T120000 20240905T123000 003000 Securing OT, too hard or not for me? Presentation outline: - Introduction - Why is OT different from IT? - OT threats - Targeted (critical infrastructure) vs non targeted (generic OT) - Example threat scenarios: - Ransomware - (Preposition for) sabotage - Supply chain and suppliers - Internet connected OT devices and hacktivists * Security testing OT * Why is this different? * Approach * Common vulnerabilities and weaknesses * Network design & security architecture * Purdue model * firewall configuration * Virtualisation * Switching infrastructure * Windows systems * Active Directory * Vulnerabilities * Hardening * HMI, PLC, sensors and actuators * Weak or default passwords * Vulnerabilities * Insecure protocols * Conclusions & recommendations * Questions PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/DSMSJH/ Main track Erwin Paternotte PUBLISH ZEXPCK@@pretalx.com -ZEXPCK Protecting organizations against AITM: lessons learned. en en 20240905T133000 20240905T140000 003000 Protecting organizations against AITM: lessons learned. There’s been an uprising in the amount of AITM based attacks. BEC fraud operators use it as MFA is more and more common. But the apearance of SaaS providers in the AITM space make these attacks easier to perform and therefore making them more common. Booking.com has been a popular target allowing attackers to use the hotel operator login to phish creditcards by sending upcomming guests reminders to pay. The fact that these reminders are sent via the booking.com app makes them super trustworthy. At the same time environments such as M365/EntraID are popular targets for other operators. This past year we’ve been trying to prevent and detect these types of attacks. The goal of the presentation is make attendees aware of the risks, the different operators and types of attacks happening today. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/ZEXPCK/ Main track Rik van Duijn Wesley PUBLISH CTQP8R@@pretalx.com -CTQP8R Offensive Development in Modern Languages en en 20240905T140000 20240905T143000 003000 Offensive Development in Modern Languages As a security professional, building tools to support your operations is no longer optional. Offensive specialists need to build advanced and custom malware to effectively stay under the radar and simulate threats, and effectively automate full attack workflows to cover large scopes and ensure repeatable results. In this talk, Cas will explore the concept of "Offensive Development", how it differs from malware development, and how choosing the right language from modern programming languages such as Rust, Golang, Python and Nim can significantly impact your tools (and your sanity). Cas will provide insights into the strengths and weaknesses of each language, supported by case studies that highlight their practical, real-world applications in offensive security. These case studies will also highlight the importance of good developer practice to ensure your next repository doesn't have to contain a disclaimer that says "POC CODE - DON'T RUN IN PRODUCTION" ;) This talk is designed for both seasoned offensive security professionals and beginners with a foundational technical understanding. It will provide valuable insights not only for red teamers but for the broader security industry, emphasizing the importance of automation and a development mindset in today's complex security landscape. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/CTQP8R/ Main track Cas van Cooten PUBLISH GMGBGE@@pretalx.com -GMGBGE Attacking Primary Refresh Tokens using their MacOS implementation en en 20240905T143000 20240905T151500 004500 Attacking Primary Refresh Tokens using their MacOS implementation While Microsoft Entra Primary Refresh Tokens remain mostly undocumented, on Windows there has been quite some research in how they work and how they can be attacked or protected. Despite several hiccups (read: vulnerabilities) in getting there, the implementation is now mostly secure if you have a Trusted Platform Module (TPM). On other platforms, the Primary Refresh Token is also used but its implementation is undocumented. We decided to investigate how Microsoft implemented Primary Refresh Tokens on MacOS, how they are protected and how hard (or easy) it is for attackers to steal them. During the investigation, we encountered more undocumented protocol features, leading to the discovery of deviceless Primary Refresh Tokens (PRTs). These deviceless PRTs, which as the name implies are only tied to a user and not a device. In some environments this might already be enough for an attacker to achieve their goal, since these PRTs could be obtained during phishing. In this session, we will talk about the PRT internals, their protection on MacOS, and on the current and new PRT implementation Microsoft introduced using the Platform SSO capabilities. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/GMGBGE/ Main track Olaf Hartong Dirk-jan Mollema PUBLISH YZRPBK@@pretalx.com -YZRPBK Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! en en 20240905T154500 20240905T162500 004000 Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server! ## 1. Methodology and Our New Attack Surface We focus on exploring the interactions between Apache Httpd modules, as mentioned in the abstract. Apache Httpd is a world constructed of modules, even the official documentation highlights that: *URL: https://httpd.apache.org/docs/2.4/mpm.html* > Apache HTTP Server 2.0 extends this modular design to the most basic functions of a web server. Httpd modules are free to register hooks to the phases they're interested in. An HTTP request will **walk through** all modules, and at each stage, it's up to the modules to decide whether to ACCEPT or REJECT the current request. An issue arises from the fact that: > Modules do not fully understand each other's implementation details. However, they are asked to collaborate to complete the entire HTTP process. For an HTTP request, all modules share and maintain an internal data structure `request_rec` with nearly a hundred members. If there is an ambiguity in understanding the same structure member among modules, it can easily lead to problems. Similarly, if a module mistakenly modifies a member that is insignificant to it but crucial to another module in this shared structure, it might affect other modules' decisions and cause problems, too! ## 2. Proposed THREE Attacks and EIGHT New Vulnerabilities Based on the concept mentioned above, we have created 3 distinct types of Confusion Attacks on Apache HTTP Server: 1. **Filename Confusion Attack**: For a same HTTP request, some modules treat `r->filename` as a URI, while others treat it as a filesystem path. This inconsistency causes security issues such as source code disclosure or ACL/Authentication Bypass. 2. **DocumentRoot Confusion Attack**: For any RewriteRule Mapping, Httpd would try to access both the relative path and absolute path. This leads to unintended files accessing outside the DocumentRoot. 3. **Handler Confusion Attack**: For the same `request_rec` structure, under certain conditions, `r->content_type`, `r->handler`, and `r->filename` are interconnected and can be transformed into each other, leading to security issues such as SSRF or RCE. These Confusion Attacks can be transformed into different types of vulnerability classes. So far, we have uncovered 8 vulnerabilities in Apache HTTP Server, including: 1. **CVE-2024-38477 - important**: Apache HTTP Server: Crash resulting in Denial of Service in mod_proxy via a malicious request 2. **CVE-2024-38476 - important**: Apache HTTP Server may use exploitable/malicious backend application output to run local handlers via internal redirect 3. **CVE-2024-38475 - important**: Apache HTTP Server weakness in mod_rewrite when first segment of substitution matches filesystem path 4. **CVE-2024-38474 - important**: Apache HTTP Server weakness with encoded question marks in backreferences 5. **CVE-2024-38473 - moderate**: Apache HTTP Server proxy encoding problem 6. **CVE-2024-38472 - important**: Apache HTTP Server on Windows UNC SSRF 7. **CVE-2024-39573 - moderate**: Apache HTTP Server: mod_rewrite proxy handler substitution 8. **CVE-2023-38709 - moderate**: Apache HTTP Server: HTTP response splitting You can check the [Apache HTTP Server website](https://httpd.apache.org/security/vulnerabilities_24.html) for details! Our presentation will focus mainly on vulnerabilities #2, #3, #4, #5 and #7. The impacts include, but are not limited to: - Sensitive Information Leakage - Denial-of-Service Attack - ACL and Authentication Bypass - Arbitrary Server-Side Source Code Disclosure - Arbitrary File Read - SSRF (Server-Side Request Forgery) - RCE (Remote Code Execution) ## 3. Demo We will demonstrate how a long-underestimated bug type can be transformed into powerful exploits, including Info-Leak, SSRF, and RCE by leveraging Httpd's internal features. This breakthrough is powered by our innovative Confusion Attack technique, enhancing our capability to intricately navigate and manipulate Httpd modules. ## 4. Previous Work As far as I know, attacks that specifically target the inconsistencies within Httpd's internal structure have been rare. The only closest discussion on this topic was presented by Max Dmitriev at ZeroNights 2021: *Title: Apache 0day bug, which still nobody knows of, and which was fixed accidentally* *Slide: https://tinyurl.com/bdxdfk8j* However, the discussion did not extensively explore this avenue. The publicly available bug description suggests that the real issue was not precisely identified. > "...a lack of control over an Apache error when using php-cgi and ModSecurity..." In reality, any handler based on `Content-Type` should be vulnerable, indicating that not only php-cgi but also the widely utilized mod_php could be at risk. ## 5. Notes The issues we have identified are present in the core modules of Apache Httpd, not in third-party modules that are rarely or never installed. :) PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/YZRPBK/ Main track Orange Tsai PUBLISH DKGN93@@pretalx.com -DKGN93 Closing Keynote: U-matter en en 20240905T162500 20240905T165500 003000 Closing Keynote: U-matter To be announced/It's gonna be a surprise. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/DKGN93/ Main track Inge Bryan PUBLISH 8QBSMA@@pretalx.com -8QBSMA Securing devices or profits? Examining the device security of a network appliance vendor en en 20240905T110000 20240905T113000 003000 Securing devices or profits? Examining the device security of a network appliance vendor This talk will focus on Cisco Meraki's efforts to secure their recent devices against unsigned code execution, the specific steps they've taken, and details on the mistakes made that allow users to run an open-source firmware like OpenWrt on their device. You can expect photos of hardware disassembly, C code, and disassembler screenshots. I will also go over what steps you can take if you plan to ship an embedded device and want to prevent tampering. Finally, I will discuss over the moral and ethical issues surrounding secure boot, device re-use, and e-waste. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/8QBSMA/ Second track Hal Martin PUBLISH XFDFLL@@pretalx.com -XFDFLL Elevate Your Skills: From COM object fundamentals to UAC bypasses en en 20240905T113000 20240905T120000 003000 Elevate Your Skills: From COM object fundamentals to UAC bypasses n/a PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/XFDFLL/ Second track Tijme Gommers PUBLISH LN3EPV@@pretalx.com -LN3EPV Exploiting the Core: A Deep Dive into Kernel Driver Vulnerability Hunting en en 20240905T120000 20240905T123000 003000 Exploiting the Core: A Deep Dive into Kernel Driver Vulnerability Hunting In this talk, we will explore the crucial aspects of finding and exploiting vulnerabilities in kernel drivers, a key area in cybersecurity research. Kernel drivers are core system components, and vulnerabilities in these components can have a large impact on systems. The talk will begin by highlighting the importance of kernel driver vulnerabilities and the impact they can have, demonstrated through real-world examples of malware and threat actor activities. We will share insights from our own research, revealing the prevalence of vulnerabilities in various drivers and the types of vulnerabilities we've encountered. Attendees will learn about all aspects needed to kick-start vulnerability research in this area. This includes building a driver database, understanding different driver types, knowing which ones are most likely to contain exploitable vulnerabilities and recognizing common vulnerability classes. The talk will also cover practical aspects of interacting with drivers, including methods for loading them and understanding the communication interfaces between user and kernel space. This knowledge is critical for understanding the attack surface of drivers. Additionally, we will discuss setting up a research environment and several automated tools to streamline the process of vulnerability discovery. Overall, this talk aims to equip participants with the skills and knowledge needed to start their journey in finding kernel driver vulnerabilities, enhancing their ability to contribute to cybersecurity defenses. Whether you're a beginner or looking to refine your techniques, this session will provide valuable insights into this complex and impactful area of research. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/LN3EPV/ Second track Jan-Jaap Korpershoek PUBLISH 8ZA3CU@@pretalx.com -8ZA3CU An angel, python, root and config walked into a bar... en en 20240905T133000 20240905T140000 003000 An angel, python, root and config walked into a bar... The talk will begin with a short story on how the entire process started before proceeding into details on the NsaRescueAngel backdoor (CVE-2024-29972). Once there is a basic understanding of the core requirements set to exploit it we will move along into the authentication mechanisms present. It's flaws, consequences and results (CVE-2024-29974, CVE-2024-29972, CVE-2024-29976). Further on the talk will investigate a python code injection caused by the architectural design of a CherryPy webserver present on the machine (CVE-2024-29973), how the framework design caused the developers to first fix one zeroday found by IBM (CVE-2023-27992) and in a future update reimplement it once more. Finally previous patches performed on the code injection will receive a brief investigation and conclusions for the set questions will be drawn. # Key questions the talk intends to address * What were the actual vulnerabilities I found? * Insight into patterns and trends observed in past CVEs * Can we expect to see more of them? PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/8ZA3CU/ Second track Timothy Hjort PUBLISH YWRH7X@@pretalx.com -YWRH7X All cops are broadcasting: Breaking TETRA after decades in the shadows en en 20240905T140000 20240905T143000 003000 All cops are broadcasting: Breaking TETRA after decades in the shadows This talk is an overview of the most important of the five uncovered issues, collectively dubbed TETRA:BURST. First, we uncover the presence of a deliberate backdoor in the TEA1 cipher, which is used in critical infrastructure. This backdoor reduces the effective key strength from 80 to 32 bits, rendering it vulnerable to an exhaustive search attack. The demonstrated attack is fully passive, and runs in under a minute. Second, we present a keystream recovery attack which works regardless of the cipher employed, affecting all encrypted TETRA networks. Furthermore, we discuss a de-anonymization attack with counter-intelligence implications and a flaw in the authentication protocol. Additionally, we provide the attendee with background information on TETRA's role in critical infrastructure as a SCADA telecontrol link, and how the TEA1 backdoor proliferated throughout Europe, exposing our critical infrastructure as well as several European military and police users to very severe risks. See [https://midnightblue.nl/tetraburst](https://midnightblue.nl/tetraburst) for more details. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/YWRH7X/ Second track Wouter Bokslag PUBLISH VBC9AB@@pretalx.com -VBC9AB How to crack seven billion passwords? en en 20240905T143000 20240905T150000 003000 How to crack seven billion passwords? In this presentation we dive into the process of cracking billions of passwords, and how this data can be used to protect organizations against account takeovers. Covered topics: • Introduction. Many well-known attacks started using credential stuffing and account takeovers. Think about for example TicketMaster and Uber. But what exactly happened? What motivated hackers? What went wrong at the victims? What’s the scale of the problem? • Password blacklisting, email breach notification, password breach notification, what are the differences? Explanation of techniques that power well-known services like HaveIBeenPwnd and products from the tech giants. They might look similar, but they are not. • Why do most well-known defenses do not protect against account takeover attacks? Techniques like rate limiting and anomaly detection are typically not effective. More complex password policies can even work contra-productive. • How to get raw data? For free? Without TOR? Getting raw data is easy. The amount of (semi-)publicly available data is overwhelming. Processing the data is more challenging. • Passwords: how did it all start? History of password storage and password cracking. Lessons (not) learned over the decades. • What’s the right tools for the job? Different password hashing algorithms have different characteristics. Some algorithms were not designed for storing passwords at all. Some other algorithms were specifically designed to not work well on generic cost effective hardware, making cracking extremely slow. How to overcome this? We have built FPGA-based crackers based on ex-Bitcoin miners, to achieve an orders of magnitude speed advantage over conventional hardware. • How to use recovered credentials to protect accounts? So now we’ve got over seven billion email/password pairs. How to use this unique dataset to disrupt cybercrime? • Results and conclusion. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/VBC9AB/ Second track Jeroen van Beek PUBLISH PGAYXE@@pretalx.com -PGAYXE Graph API Mastery - Logs to Real World Attacks en en 20240905T150000 20240905T152000 002000 Graph API Mastery - Logs to Real World Attacks Graph API Mastery: From Logs to Real-World Impact Introduction Microsoft Graph API provides a unified endpoint to access Microsoft 365 services, enabling developers to build powerful applications that integrate deeply with the Microsoft ecosystem. This presentation will explore how to leverage Graph API LOGS for enhanced operational security. Obtaining the Logs We will discuss methods to access and retrieve logs from Graph API, focusing on setting up appropriate permissions and using relevant endpoints to gather valuable data. Correlatable Fields & Useful Functions Learn about fields that can be correlated across different logs and systems to create a comprehensive view of user and application activities. We will also cover useful KQL functions for data analysis. Delegated vs Application Permissions Understand the differences between delegated and application permissions, their use cases, and best practices for managing permissions to ensure security and compliance. Attack Patterns and Hunting/Detection Opportunities Explore common attack patterns targeting Microsoft Graph API and discover strategies for threat hunting and detection. We will highlight specific indicators of compromise and techniques to identify malicious activities. From the Frontlines – Real World Stories Real-world examples and case studies illustrating attacks observed on the frontlines, highlighting how organizations could have used Graph API logs to prevent/monitor security incidents. Highlighting other researchers and their work: Highlight contributions from other researchers and authors who have done great work on Microsoft Graph API research. This will include a snippet of who to follow and what they’ve done. Conclusion A summary of key takeaways and best practices for leveraging Microsoft Graph API in your organization. Emphasis on the importance of continuous monitoring and the potential for future enhancements. This session aims to equip security professionals with the knowledge to effectively use Microsoft Graph API logs. PUBLIC CONFIRMED Talk https://pretalx.com/orangecon-2024/talk/PGAYXE/ Second track Shiva P Parthiban R PUBLISH FKFSX9@@pretalx.com -FKFSX9 Detect and Reverse engineer - Quick wins for defenders en en 20240905T110000 20240905T120000 010000 Detect and Reverse engineer - Quick wins for defenders If you are interested in Reverse Engineering and Detection engineering, and you want to have a workshop where we learn from eachother in making valuable detection on public samples, than you should look no further! In this workshop we will use Ghidra and some famous public samples to identify quick detection engineering wins. PUBLIC CONFIRMED Workshop https://pretalx.com/orangecon-2024/talk/FKFSX9/ Workshop track 1 Yassir Laaouissi PUBLISH 7YRCCN@@pretalx.com -7YRCCN Getting familiar with DESFire en en 20240905T133000 20240905T153000 020000 Getting familiar with DESFire This workshop dives into the basics of the MIFARE DESFire smartcard - a popular smartcard for high-security access control and ticketing systems. The workshop will start with a short lecture covering important concepts of the DESFire standard: - What standards DESFire is built on top of - DESFire logical structure - DESFire authentication & cryptography - Analyzing DESFire with Proxmark3 - Possible pitfalls. Afterwards, the hands-on portion of the workshop starts. A set of traces of communication between a DESFire card and a card reader with implementation defects will form the basis of the challenges. Each participant will get access to a Proxmark3 and a blank DESFire card during the workshop, with the goal of "cloning" the card used in the trace and trick the card reader to let you through. **IMPORTANT**: This workshop requires you to bring your own laptop with Proxmark3 (Iceman fork) v4.18589 client software installed (https://github.com/RfidResearchGroup/proxmark3/releases/tag/v4.18589). Instructions on how to prepare the environment can be found under the "PROXMARK3 INSTALLATION AND OVERVIEW" section of the README. A working Proxmark3 and DESFire card will be provided for use during the workshop. This can be done on a VM with a USB3 controller configured, but expect occasional communication timeouts if you choose to do so. PUBLIC CONFIRMED Workshop https://pretalx.com/orangecon-2024/talk/7YRCCN/ Workshop track 1 Sebastiaan Groot PUBLISH TTMYBL@@pretalx.com -TTMYBL HackTheBox & CTF Methodology - Hands-on workshop en en 20240905T110000 20240905T120000 010000 HackTheBox & CTF Methodology - Hands-on workshop Join Remco van der Meer and Jorian Woltjer, for a unique and hands-on workshop where we'll explore the following points: - Introduction to HackTheBox & Capture The Flag (CTF) - Link to real penetration tests - Live Walkthrough of an easy HackTheBox challenge PUBLIC CONFIRMED Workshop https://pretalx.com/orangecon-2024/talk/TTMYBL/ Workshop track 2 Remco van der Meer Jorian Woltjer PUBLISH 3HFRVB@@pretalx.com -3HFRVB Be lazy like a cat, making pentesting fun again en en 20240905T133000 20240905T143000 010000 Be lazy like a cat, making pentesting fun again Join us for an engaging workshop designed for security enthusiasts eager to improve their vulnerability assessment and reporting skills. In this session, you'll learn how to accurately describe vulnerabilities, detail reproduction steps, assess impact, and provide effective remediation advice. We'll introduce an advanced methodology that significantly reduces the time required for these tasks. Participants will gain access to specialized templates that streamline the vulnerability reporting process, making it more efficient and less time-consuming. After a brief explanation of the methodology, you will have the opportunity to apply the templates in practical exercises, gaining firsthand experience and enhancing your cybersecurity skills. This workshop is perfect for anyone passionate about security, looking to enhance their technical skills, and seeking efficient methods for vulnerability assessment and reporting. PUBLIC CONFIRMED Workshop https://pretalx.com/orangecon-2024/talk/3HFRVB/ Workshop track 2 Brenno de Winter Mischa van Geelen PUBLISH F7Q7ZG@@pretalx.com -F7Q7ZG Finding vulnerabilities with CodeQL en en 20240905T143000 20240905T153000 010000 Finding vulnerabilities with CodeQL This session will introduce fundamentals of security research when looking for vulnerabilities in software via source code review. We will use an example of a simple vulnerability, walk through how CodeQL could detect it, and provide examples on how the audience could use CodeQL to find vulnerabilities themselves. We will also introduce how we could scale our security research to thousands of projects at once using multi-repository variant analysis. If you can, please set up the workshop codespace before the workshop by following the instructions in the workshop repository: http://gh.io/orangecon-2024-ws The codespace is basically a virtual machine from GitHub, which you can use for free for up to 120 hours, and this one will automatically set up everything you need for running CodeQL. After you are done remember to go to https://github.com/codespaces, select the three dots next to the codespace and choose “Stop codespace” so you don’t use up your hours. We are also going to set it up together during the workshop, so feel free to wait until the workshop day with setup. PUBLIC CONFIRMED Workshop https://pretalx.com/orangecon-2024/talk/F7Q7ZG/ Workshop track 2 Sylwia Budzynska